From 3e70db526ef05bbf5d9f42072717a91e9866763c Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Tue, 1 Oct 2019 15:23:25 -0700 Subject: [PATCH] sepolicy: fix missing label on vendor_service_contexts Vendors can publish services with servicemanager only on non-Treble builds. vendor_service_contexts is not meant to be read by servicemanager. https://android.googlesource.com/platform/system/sepolicy/+/5bccbfefe494aa6fed73a58d80713e28257ba7f1/public/servicemanager.te#22 Bug: 141333155 Test: create /vendor/etc/selinux/vendor_service_contexts and make sure it is correctly labeled. Change-Id: Ib68c50e0cdb2c39f0857a10289bfa26fa11b1b3c --- private/file_contexts | 2 ++ public/file.te | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/private/file_contexts b/private/file_contexts index a552d4724..52354e25c 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -363,6 +363,8 @@ # HAL location /(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 +/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0 + ############################# # OEM and ODM files # diff --git a/public/file.te b/public/file.te index 45c2fbcbb..8a8a0bc94 100644 --- a/public/file.te +++ b/public/file.te @@ -477,7 +477,7 @@ type sepolicy_file, system_file_type, file_type; type service_contexts_file, system_file_type, file_type; # nonplat service_contexts file (only accessible on non full-treble devices) -type nonplat_service_contexts_file, file_type; +type nonplat_service_contexts_file, vendor_file_type, file_type; # hwservice_contexts file type hwservice_contexts_file, system_file_type, file_type;